PatchSiren cyber security CVE debrief
CVE-2022-43939 Hitachi Vantara CVE debrief
CVE-2022-43939 is a Hitachi Vantara Pentaho Business Analytics (BA) Server authorization bypass issue tied to non-canonical URL paths being used for authorization decisions. CISA lists it in the Known Exploited Vulnerabilities catalog, so defenders should treat it as an actively relevant exposure and prioritize remediation on any affected Pentaho BA Server instance.
- Vendor
- Hitachi Vantara
- Product
- Pentaho Business Analytics (BA) Server
- CVSS
- Unknown
- CISA KEV
- Listed
- Original CVE published
- 2025-03-03
- Original CVE updated
- 2025-03-03
- Advisory published
- 2025-03-03
- Advisory updated
- 2025-03-03
Who should care
Security teams, system owners, and administrators responsible for Hitachi Vantara Pentaho Business Analytics (BA) Server deployments—especially environments exposed to the internet or used for sensitive reporting and analytics.
Technical summary
The vendor’s resolved advisory identifies the issue as use of non-canonical URL paths for authorization decisions in Pentaho BA Server. The advisory notes affected versions before 9.4.0.1 and 9.3.0.2, including 8.3.x. CISA’s KEV entry classifies the vulnerability as known exploited and sets a due date for remediation. No CVSS score was provided in the supplied corpus.
Defensive priority
High. This vulnerability is in CISA’s KEV catalog, indicating it should be remediated promptly and verified across all Pentaho BA Server installations.
Recommended defensive actions
- Confirm whether any Pentaho Business Analytics (BA) Server deployments are running versions before 9.4.0.1 or 9.3.0.2, including 8.3.x.
- Apply the vendor’s mitigations or upgrade to a fixed version as directed in the official Pentaho advisory.
- Follow CISA BOD 22-01 guidance for cloud services where applicable.
- If mitigations are unavailable, discontinue use of the affected product until a supported fix can be applied.
- Prioritize remediation for internet-facing systems and verify that all instances, including test and backup environments, are covered.
Evidence notes
CISA’s KEV record lists Hitachi Vantara Pentaho Business Analytics (BA) Server as a known exploited vulnerability and includes the vendor advisory reference: “Resolved Pentaho BA Server Use of Non-Canonical URL Paths for Authorization Decisions Versions before 9.4.0.1 and 9.3.0.2 including 8.3.x Impacted CVE-2022-43939.” The supplied corpus also states required actions: apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use if mitigations are unavailable. Known ransomware campaign use is listed as Unknown.
Official resources
-
CVE-2022-43939 CVE record
CVE.org
-
CVE-2022-43939 NVD detail
NVD
-
CISA Known Exploited Vulnerabilities catalog
CISA - Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
-
Source item URL
cisa_kev
CISA KEV lists this vulnerability as known exploited. The supplied timeline shows the KEV date added as 2025-03-03 and due date as 2025-03-24; these dates are used here for remediation context, not as the original issue date. The corpus did